ombudsman news

issue 145

August 2018

fraud and scams: case studies

In the last financial year, we saw more than 8,000 cases involving people who’d complained to their banks about fraud and scams – in circumstances ranging from disputed card transactions and cash machine withdrawals, to online banking fraud and identity theft.

These case studies illustrate the range of disputes we’re called into – which typically arise when a bank has refused to cover the money their customer is saying they’ve lost. This is generally either because the bank believes their customer acted fraudulently, or because they believe their customer acted with “gross negligence”. This reflects the position outlined in the Payment Services Regulations 2017, which says a customer (or “payee”) is liable for losses if either of these conditions apply. This is something we take into account when we’re deciding what’s fair and reasonable in all the circumstances.

To decide whether someone authorised what they’re saying is a fraudulent transaction, we’ll look carefully at the sequence of events leading up to it. But often everyone accepts that the customer didn’t actually make the payment – and the dispute instead centres on whether they acted in a “grossly negligent” way.

…we interpret “gross negligence” to be a higher standard than the standard of negligence under common law. The customer needs to have shown a very significant degree of carelessness (p122)

Our ombudsman focus highlights the increasing sophistication of criminals’ methods. And the fact people are often manipulated into thinking their money’s at risk is something we’ll think carefully about before deciding whether someone’s acted in a way that goes beyond what might be described as careless.

case studies

145/1 - “Is replying to a text message that I thought was from my bank really “grossly negligent?”

145/2 - “Fraudsters took control of my phone and my bank account – why am I being held responsible?”

145/3 - “The bank says my debit card was used to take money out of my account, but no one uses the card except me.”

145/4 - “How can I be responsible for money being taken when I didn’t receive my debit card or my PIN for my new bank account?”

145/5 - “My bank says I paid €1,400 for champagne but I only had two G&Ts”

145/1“Is replying to a text message that I thought was from my bank really “grossly negligent?”

Brian contacted us after his bank refused to refund him money that was stolen from his account in a text message scam.

He explained it had all begun when he’d received a message that he’d thought was from his bank – but that he’d later found out was a “smishing” or SMS scam. His bank was saying that, because he’d given out his security details and passcodes, he’d been “grossly negligent” – and they wouldn’t refund the £7,000 he’d transferred unwittingly to the fraudsters.

Brian said everything was so convincing that he couldn’t have known he was being scammed. So he didn’t think the bank’s response was fair – and asked us for our view.

how we helped

We asked Brian for more information about what had happened to him. He explained he’d received a text message from a number he’d thought to be his bank. In fact, it had gone into the same chain of messages on his phone as genuine messages he’d previously received from the bank.

Brian said the text message had warned of a fraudulent payment and asked him to phone his bank immediately on the number in the text. He’d done so and spoken to someone who, at the time, he thought worked at his bank. They’d said he would receive a code by text, which he’d need to give to them so they could stop the fraudulent payment leaving his account.

Brian explained that the information he’d been asked to give during the call was just like what he’d been asked for when he’d phoned his bank in the past. So he hadn’t realised he was actually talking to fraudsters. And when the code arrived, he’d given it straight to them.

It seemed the payment had then triggered the bank’s fraud systems – and another code was sent to him by text. He’d given the fraudsters this code, too – and they’d used it to authorise a payment out of his account. Within minutes, the fraudsters had taken £7,000.

We asked the bank for their view. They told us it was Brian’s obligation to take reasonable steps to keep the personalised security features of his account safe. They also told us they emailed their customers warnings about this type of scam – and they thought Brian should have read these.

First, we considered whether Brian had authorised the transactions. We concluded that he hadn’t – it had been the fraudsters with the information they’d obtained. We then considered what Brian had said about the initial text message he’d received and the similarity between the security questions asked by his bank and the information he was asked for during the scam. As the scammers appeared to be aware of the bank’s fraud and security procedures, including the fact that security codes were sent out by text, we thought Brian’s account of what had happened was plausible.

This was clearly a sophisticated fraud. And in light of the worrying and time-sensitive situation Brian had believed he was in – and the way the fraudsters had gained his trust – we thought his actions had been reasonable. We didn’t agree with the bank that he’d been grossly negligent – and the fact they’d sent him a general email about scams didn’t change our view.

We told the bank to put things right by reimbursing the £7,000 payment to Brian’s account.

145/2“Fraudsters took control of my phone and my bank account – why am I being held responsible?”

Mia contacted us after fraudsters stole several thousand pounds from her account.

She’d been told by her bank that she’d put her security details into a fake website. And she’d been told by her mobile phone provider that she’d been a victim of a “SIM swap”. The same fraudsters had apparently been behind both these scams – and had managed to log into her online banking and authorise the payment.

Mia told us her bank were saying she’d been “grossly negligent” in putting her details into the fake website – and were refusing to refund the money she’d lost. Mia didn’t think this was fair and asked for our help.

how we helped

We asked Mia to explain in more detail what had happened. She said she’d noticed the money was missing shortly after having trouble with online banking. She said she hadn’t been able to log on, despite being sure she was using the correct details and passwords. The next day, checking her balance at a cash machine, she’d noticed the money was missing from her bank account.

Mia explained she’d had trouble with her mobile phone at the same time. From speaking to her phone provider, she’d discovered fraudsters had also targeted her mobile account. Pretending to be her, they’d managed to get a new SIM card sent out. She now knew these must have been the same fraudsters behind the fake banking website. So when Mia’s bank had sent a passcode to her number to authorise the payment, it had been the fraudsters – logged into her online banking – who’d received the code.

Mia’s bank said that the fraudsters must have had her security information to make the transfer. They said Mia had put her details into a fake website designed to look like their own, which had come up near the top of a search engine result. Mia would have thought she was having trouble logging on to her online banking – but actually the fraudsters were collecting the details she was typing in.

The bank showed us images of the scam website they thought Mia had used. In our view, this was almost identical to the bank’s own website.

The bank accepted that Mia hadn’t authorised the payment from her account. They recognised that, because of the SIM swap, the fraudsters had taken control of Mia’s phone and account – so it hadn’t been Mia who’d received the passcode. Without this passcode, the log-in information wouldn’t have been enough for the payments to be authorised from Mia’s account. And it wasn’t Mia’s fault that a SIM card had been issued to fraudsters in the first place.

All in all, we didn’t agree that Mia had been grossly negligent. So we said the bank should refund the money that was taken as part of the scam.

145/3“The bank says my debit card was used to take money out of my account, but no one uses the card except me.”

Jas contacted us after getting into a dispute with her bank over cash withdrawals she said she didn’t recognise.

She explained she’d noticed several large withdrawals on her monthly statement – and had called her bank to report them as fraudulent. But because she hadn’t been able to explain how they’d happened, the bank had said she must have made them herself or given someone her PIN.

Frustrated that the bank wouldn’t give her money back, Jas wanted us to step in.

how we helped

Jas told us she never withdrew that much cash in one go – and she hadn’t been at a cash point at the time the transactions happened. She said she couldn’t afford to lose that much money, which was a significant chunk of her monthly pension. She said she’d changed her PIN a few years ago from the one she was issued with, and hadn’t ever told it to anyone.

Jas also said she’d been to the police and tried to get CCTV footage of the cash point, which she thought would prove she hadn’t made the withdrawals. But the bank had initially directed her to the wrong footage – and by the time they’d realised their mistake, the correct footage had been deleted.

We explained to Jas that CCTV footage can sometimes be an important piece of evidence – and that it should form part of a business’s investigation when it’s available. But we also explained that isn’t always helpful in resolving disputes like hers – as it can sometimes be unclear and so not take us any further forward in understanding what’s happened. We told Jas that because the CCTV footage wasn’t available, we’d look closely at the bank’s records of her transaction history – and weigh these up against everything she’d said.

The bank provided evidence to show Jas’s genuine card had been used for the withdrawals. They’d been made 30 miles from Jas’s house, at separate cashpoints a mile or so apart – just before and just after midnight.

Looking at the pattern of spending on Jas’s account, it seemed she’d made smaller cash withdrawals – which she said she recognised – after the transactions she was disputing. So the card would have had to be removed and replaced from Jas’s possession.

However, having considered the relevant rules and regulations – in particular, the Payment Service Regulations 2017 – we didn’t think the available evidence was enough to suggest Jas had authorised the transactions. And it was more likely than not that someone else had made the transactions using her card.

We considered what Jas had told us about where she kept her card, and about how no one else knew her PIN. We found her account of what had happened, including what she’d said to the police, to be consistent and plausible. And taking everything into account, we didn’t think the bank had shown she’d been grossly negligent with either of these things.

We recognised that there was a limited number of people that could have made the transactions. But on balance, we didn’t think it was more likely than not that Jas had made or authorised the transactions – or that she’d been grossly negligent. So we told the bank to refund the two disputed transactions.

145/4“How can I be responsible for money being taken when I didn’t receive my debit card or my PIN for my new bank account?”

Sam contacted us after his bank told him he was making a false claim for disputed transactions.

He explained that, shortly after opening a new bank account, he’d called his bank because he hadn’t received his card or PIN. But the bank had said the card and PIN had already been used for a number of cash withdrawals during the week, using up most of the money in the account.

Sam said he’d told the bank he hadn’t taken the money out himself. But the bank didn’t agree – and their fraud department had told Sam they were closing his account. Left without his money, Sam asked us to help him get it back.

how we helped

Sam told us he’d recently started at university, and his parents had given him cash for his accommodation costs and spending money. He explained that after paying his rent, he’d put the rest of the money into the newly-opened account. He said he’d been told his new card and PIN would be sent to him in the post.

Sam told us he’d waited about a week before calling the bank to ask why his card and PIN hadn’t arrived yet. And it seemed that it was during this time that his money had been taken.

The bank said the card and PIN were sent separately to the address Sam had provided. They thought it was unlikely that someone other than Sam had intercepted both pieces of post.

Sam sent us photos of the communal post box in the reception area of his block of flats, which showed post was just left on open shelves. So anyone who had access to the reception area could also have had access to everyone’s post.

The bank told us a further transaction had been attempted and declined two days after Sam had called about the unauthorised transactions. But from the bank’s records, it didn’t seem their fraud team had actually investigated this transaction – and established whether Sam or someone else had made it – before they’d decided to close Sam’s account.

Taking everything into account, we didn’t think the bank had treated Sam fairly. They couldn’t show on balance that Sam had authorised the withdrawals, or explain why the transaction made after the card was cancelled hadn’t been looked into. So we told them to refund the payments back to Sam.

145/5 “My bank says I paid €1,400 for champagne but I only had two G&Ts”

Mel got in touch with us after his bank reinstated a disputed bank transaction for drinks he bought on holiday while he was in what he called a “gentleman’s club”.

He told us he’d ordered two gin and tonics, which he thought had cost €14. But when he’d checked his account the next day, he noticed he had been charged over €1,400.

Mel said he’d contacted his bank – but they’d said they were satisfied the transaction was genuine and wouldn’t return the money.

how we helped

We asked Mel for his bank statements so we could look at the transaction, along with others he’d made on the same trip. He told us he’d only bought two drinks while at the club, despite being there for several hours.

When we looked at the statements, we found this wasn’t consistent with Mel’s spending at other clubs on the same day, where he’d regularly been spending a considerable amount of money on drinks. Mel told us other people in the group had been buying him drinks, but didn’t have anything to back this up.

We looked at the bank’s records. We saw they’d raised a chargeback as soon as Mel had told them about the incorrect payment. They’d put the money back in his account while they were investigating the transaction with the club. But when the club had provided evidence of the chip and pin transaction, including the sale receipt, the bank had given the money back to the club from Mel’s account at the conclusion of the chargeback process.

Mel didn’t deny that he had used his card and pin to buy drinks at the club. But he was adamant that he had only authorised a payment of €14 for the drinks he’d bought. We looked at the receipt the club had provided and saw the order was actually for two bottles of champagne, costing €700 each.

There was no evidence to clarify what the club’s payment terminal had shown when Mel entered his PIN. But looking at all the evidence, we thought it was more likely than not that, if he’d checked the terminal, it would have shown €1,400 – and that he had, at the time, meant to make a payment for that amount. By using his card and entering his PIN, Mel had authorised the transaction – like the other similar transactions he’d made that same night.

We can’t, of course, always know for sure what happened in cases like Mel’s. However, on balance, we thought the bank had done what they should while they were investigating the facts behind the disputed transaction. And we thought it was more likely than not, based on the evidence we’d seen, that Mel had bought the more expensive drinks. So we explained we wouldn’t tell the bank to give him a refund.